1. Overview

In networked file sharing, the Server Message Block (SMB) protocol plays a crucial role. SMB enables the sharing of files, printers, and other resources among devices on a local network or over the Internet. For system administrators and security professionals, determining which SMB shares a user has read and write access to from a Linux system can be essential for managing permissions.

In this tutorial, we’ll explore various methods to determine SMB shares to users with read and write access.

2. What Is SMB?

SMB is a network file-sharing protocol that enables applications on a network to communicate and share resources. Developed by Microsoft, SMB has become the standard for sharing files and printers between Microsoft Windows machines. SMB operates over TCP/IP and has evolved through different versions, with SMBv3 being the latest, offering improved security features.

3. Why Determine SMB Share Permissions?

SMB shares have permissions that dictate the level of access users or groups have to shared resources. Permissions include READ, WRITE, EXECUTE, and DELETE, among others. READ access allows users to view files, while WRITE access grants the ability to modify or create new files. Executing files and deleting them are additional permissions that should be carefully managed.

Determining SMB share permissions is crucial for several reasons. It enables security professionals and administrators to perform a number of activities efficiently:

  • maintain security: understanding user access ensures that sensitive information is only accessible to authorized individuals, preventing unauthorized access and potential security breaches
  • troubleshoot issues: when users face difficulties accessing certain files or directories, assessing SMB share permissions helps identify the root cause and resolve issues
  • ensure compliance: many organizations have regulatory requirements regarding data access and sharing

Further, determining SMB share permissions helps organizations comply with the regulations, avoiding potential legal and financial consequences.

4. Using smbmap

smbmap is a powerful command-line tool, specifically designed for automated SMB enumeration and comes with various features, including the ability to identify accessible shares.

Before using smbmap for listing shares permission, let’s install smbmap using apt-get:

$ sudo apt-get install smbmap

After completing the smbmap installation, let’s use it to connect to the SMB service as an administrator user on the host 192.168.1.149. In this case, we use the -u option for the username and the -p option for the password which helps us find and check the permissions of SMB shares for the administrator:

$ smbmap -u 'administrator' -p 'password123' -H 192.168.1.149
[+] IP: 192.168.1.149:445     Name: 192.168.1.149
Disk                                                    Permissions     Comment
----                                                    -----------     -------
ADMIN$                                                  READ, WRITE     Remote Admin
C$                                                      READ, WRITE     Default share
IPC$                                                    READ ONLY       Remote IPC
Users                                                   READ, WRITE
Travel                                                  NO ACCESS

The command output provides information about available shares on the host (192.168.1.149), specifying that the administrator user has READ and WRITE access on ADMIN$, C$, and Users shares, READ-ONLY access on IPC$ share and NO ACCESS on Travel share.

Since the permission for share access differs from user to user, similarly let’s check what permission guest users have:

$ smbmap -u 'guest' -p '' -H 192.168.1.149
[+] Guest session       IP: 192.168.1.149:445     Name: 192.168.1.149
Disk                                                    Permissions     Comment
----                                                    -----------     -------
ADMIN$                                                  NO ACCESS       Remote Admin
C$                                                      NO ACCESS       Default share
IPC$                                                    READ ONLY       Remote IPC
Users                                                   READ ONLY
Travel                                                  NO ACCESS

The guest user has limited READ ONLY access to the IPC$ and Users share while having NO ACCESS to system shares like ADMIN$ and C$ and Travel share.

5. Using crackmapexec

Another powerful command-line tool for assessing SMB share is crackmapexec. crackmapexec is a versatile post-exploitation framework that supports various protocols like mssql, winrm, ldap, ssh, and SMB. It enables security professionals to automate tasks such as credential validation and lateral movement within a network.

Similarly, crackmapexec can determine which SMB shares a user has read and write access to. It does so by leveraging its capabilities for executing commands on remote systems.

Before using crackmapexec, let’s install it using apt-get:

$ sudo apt-get install crackmapexec

To ascertain the permissions of SMB shares, we can authenticate with the target host using crackmapexec along with the -u option for the username, i.e., administrator, and the -p option for the password:

$ crackmapexec smb 192.168.1.149 -u administrator -p 'password123' --shares
SMB         192.168.1.149  445     AVITAR         [*] Windows 6.1 Build 0 (name:AVITAR) (domain:AVITAR) (signing:False) (SMBv1:False)
SMB         192.168.1.149   445    AVITAR         [+] AVITAR\: 
SMB         192.168.1.149   445    AVITAR         [+] Enumerated shares
SMB         192.168.1.149   445    AVITAR          Share           Permissions     Remark
SMB         192.168.1.149   445    AVITAR          -----           -----------     ------
SMB         192.168.1.149   445    AVITAR          ADMIN$           READ, WRITE    Remote Admin
SMB         192.168.1.149   445    AVITAR          C$               READ, WRITE    Default Share
SMB         192.168.1.149   445    AVITAR          IPC$             READ ONLY      Remote IPC
SMB         192.168.1.149   445    AVITAR          Users            READ, WRITE
SMB         192.168.1.149   445    AVITAR          Travel           NO ACCESS

The command output displays a scan conducted with crackmapexec on the IP address 192.168.1.149. The results reveal a Windows machine named AVITAR with five accessible shares: ADMIN$, C$, IPC$, Users, and Travel. Further, the corresponding permissions indicate that ADMIN$, C$, and, Users have both READ, and WRITE permissions, IPC$ has READ ONLY permission, and Travel share has NO ACCESS permission.

Now, let’s determine the share permission for guest users using crackampexec:

$ crackmapexec smb 192.168.1.149 -u guest -p '' --shares
SMB         192.168.1.149  445     AVITAR         [*] Windows 6.1 Build 0 (name:AVITAR) (domain:AVITAR) (signing:False) (SMBv1:False)
SMB         192.168.1.149   445    AVITAR         [+] AVITAR\: 
SMB         192.168.1.149   445    AVITAR         [+] Enumerated shares
SMB         192.168.1.149   445    AVITAR          Share           Permissions     Remark
SMB         192.168.1.149   445    AVITAR          -----           -----------     ------
SMB         192.168.1.149   445    AVITAR          ADMIN$           NO ACCESS      Remote Admin
SMB         192.168.1.149   445    AVITAR          C$               NO ACCESS      Default Share
SMB         192.168.1.149   445    AVITAR          IPC$             READ ONLY      Remote IPC
SMB         192.168.1.149   445    AVITAR          Users            READ ONLY
SMB         192.168.1.149   445    AVITAR          Travel           NO ACCESS

The command output mirrors smbmap‘s results since we’re listing the shares of the same host and user. The guest user is restricted to READ ONLY access on IPC$ and Users shares. However, they have no access to system shares such as ADMIN$ and C$, and Travel.

6. Listing Shares With Specific Permissions

For efficient user access management, identifying SMB shares with particular permissions like READ, WRITE, or both READ and WRITE access can be essential. Both smbmap and crackmapexec offer functionalities to list shares with specific permissions.

6.1. Using smbmap

To filter shares with specific permissions using smbmap, we can grep regular expression patterns to target lines containing READ or WRITE:

$ smbmap -u 'administrator' -p 'password123' -H 192.168.1.149 -shares | grep -E 'WRITE|READ'
ADMIN$                                                  READ, WRITE
C$                                                      READ, WRITE
IPC$                                                    READ ONLY
Users                                                   READ, WRITE

The command filters the output using grep to display only shares where the administrator user has either READ or WRITE permissions.

Let’s break down some of the command’s options to make it easy to understand:

  • -shares: instructs smbmap to enumerate and list all available shares on the target host (192.168.1.149)
  • grep -E ‘WRITE|READ’: -E enables extended regular expression patterns, where the pattern ‘WRITE|READ’ matches any lines containing either READ or WRITE

This way, we ensure that only the relevant lines are shown.

6.2. Using crackmapexec

Similar to smbmap, let’s use crackmapexec and filter the list of shares based on their specific permissions using grep along with regular expression pattern for administrator users:

$ crackmapexec smb 192.168.1.149 -u administrator -p 'password123' --shares | grep -E 'WRITE|READ'
SMB         192.168.1.149   445    AVITAR          ADMIN$           READ, WRITE
SMB         192.168.1.149   445    AVITAR          C$               READ, WRITE
SMB         192.168.1.149   445    AVITAR          IPC$             READ ONLY
SMB         192.168.1.149   445    AVITAR          Users            READ, WRITE

The command output is similar to that of smbmap since we’re filtering the shares on the same user and host. It shows the Windows machine named AVITAR, enumerates its shares, and displays the shares with their permissions. In this case, the shares ADMIN$ and C$ have both READ and WRITE permissions, while IPC$ has READ ONLY permission, and the Users share has READ and WRITE permissions.

7. Conclusion

In this article, we explored the methods to determine SMB Shares to which a user possesses read or write access.

Whether using the straightforward enumeration of smbmap or the versatile post-exploitation features of crackmapexec, these tools offer valuable insights into SMB share permissions, contributing to a more secure and well-managed network environment.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.